New ransomware Erebus infects thousands of websites in S. Korea

A ransomware called "Erebus" has infected thousands of South Korean websites connected to Linux servers run by a local web hosting company, prompting state security authorities and police to launch an investigation.

Nayana, a South Korean web hosting company, said Monday in a notice posted on its homepage that 153 of its Linux servers were found to have been infected with Erebus on Saturday. The websites of some 3,400 companies and groups were infected with the ransomware, a type of malicious software that prevents or limits users from accessing their system until they pay in Bitcoins, a digital payment system.

The ransom amount initially requested by Erebus stood at 10 Bitcoins or 32.7 million won (29,075 US dollars) each server, Nayana said, adding hackers now ask for 5.4 Bitcoins. The Korea Internet and Security Agency, a state security body, and police have launched an investigation, the company said, vowing to regain control of infected servers with the help of state experts.

Unlike WannaCry that attacks random targets, Erebus attacks designated targets, using a User Account Control (UAC) bypass that allows the ransomware to run at elevated privileges without displaying a UAC prompt.

WannaCry used loopholes in the files sharing system known as SMB (Server Message Block). The ransomware intrudes computers in a form of a worm virus and encrypts all files, leaving users inaccessible to them. Erebus will display a message box on the Windows desktop alerting the victim that their files are encrypted. When a victim clicks on the Recover my files button, they will be brought to Erebus' TOR payment site where they can get payment instructions.